When the EU legislation on EU citizens’ privacy came into effect in 2018, the entire AdTech industry was severely disrupted: from companies leaving the EU en masse to general confusion about what is and isn’t legal, to severe fines being imposed and constant confusion, we have seen continuous uncertainty in how companies handle GDPR.
Though GDPR only affects EU citizens and inhabitants, in essence the entire global AdTech industry has to take GDPR into account simply because of the global data interaction and exchange ecosystem that unavoidably handles EU data even beyond EU’s borders.
Five years after the enforcement of GDPR, here is what you need to know to safely navigate the AdTech terrain in 2023, keeping your company robust with AdTech’s benefits for advertising while avoiding the pitfalls of using data incorrectly or illegally.
What is GDPR?
GDPR stands for General Data Protection Regulation. It is the European legal framework that regulates how companies use, store, acquire, and obtain the personal data of EU citizens.
According to GDPR, the final owner of an individual’s personal data is the individual themselves. They get the final say in what is done with their personal information, which means that companies have to get official, formal consent for anything they do with that personal data. They also need to provide access to the personal data of the individual whenever the individual wishes it, so that the person can see what is being done with that information and intervene if the person so wishes.
Additionally, GDPR demands that companies protect the personal data of European users and consumers. They must have strong security in place, be prepared to constantly maintain that security, inform users if there has been a data breach, and more.
Breaking GDPR laws incurs steep fines, in the area of 20 million euro or 4% of a company’s yearly revenue, depending on which is higher. Liability is also quite extensive. If data is acquired through illegal means, then everyone who touched that data is liable for that under GDPR law, from the publisher that shares the data to the DMP that sells it to the advertiser that uses it.
Bottom line, to be in accordance with GDPR law, all data used for advertising has to have been acquired with user consent. All processing and use of that data also needs to be done with user consent. Storage of the data also needs user consent.
Lastly, taking advantage of user vulnerabilities for predatory practices of selling products or services is also considered illegal under GDPR law, especially if the exploitation of such vulnerabilities can lead to serious harm of the individual.
What data does GDPR protect?
GDPR protects all data that can be categorized as “Personally Identifiable Information” or PII. Things like a user’s name, IP address, actual address, email address, demographic data, biometric data, and more are considered PII.
Any type of info that can be used to trace back and identify individual users is PII and protected by GDPR law as already described. That’s why cookies and other third party data are being strongly regulated and progressively phased out of AdTech and other usage.
AdTech compliant with GDPR law
The simple, but often very complicated, aspect of staying compliant with GDPR laws while still using AdTech is to make sure that consent is constantly and validly acquired by users. The more specific the consent acquired, the better protected your enterprise will be from GDPR fines or warnings.
All big companies handling massive amounts of PII are working towards that goal, from Google to Apple to Amazon. Through several, often prolonged, legal proceedings, there seems to come more finetuning on how to practically and safely apply GDPR principles without hurting the AdTech industry.
For example, in 2022 the EU Parliament and Council voted in the Digital Services Act (DSA) and the Digital Marketing Act (DMA). Companies that qualify and are classed as “gatekeepers” are required to properly handle data sharing within their different platforms as well as open their ecosystems to third-party companies so that they too can offer and promote their products and services.
These frameworks will be in full enforcement by 2024, with the goal of making AdTech legally accessible to all businesses.
For now, all you need to ensure is that precious consent in the most robust way possible, follow the news on the practical application of GDPR, and ensure that the AdTech you use complies with the latest consent requirements.